PHP Registration code

Question

I am currently attempting to create a registration script to enter registration information into my UserAccount table. Below is my connection:

<?php
//database preparation
$usr = "username";
$pwd = "password"; //put your php password
$host = "computing";
$db = $usr;
$conn = mysqli_connect($host, $usr, $pwd, $db);
if (!$conn){
echo "<p>server connection error:
mysqli_connect_error()</p>";
}
$_SESSION['conn'] = $conn; //database connection status 
transfer;
?>

And here is the registration I am having difficulty with.

<?php
include "conn.php";

$email_address = $_POST['email_address'];
$password = md5($_POST['password']);
$f_name = $_POST['f_name'];
$s_name = $_POST['s_name'];

$insert = 'INSERT INTO UserAccount(email_address, password, f_name, s_name) 
VALUES("'.$email_address.'","'.$password.'","'.$f_name.'","'.$l_name.'")';

mysql_query($insert);


?>

When entering information I get a blank page and no data entries into my table, I was wondering why?

Answer 1

You have a typo

mysql_query($insert); should be mysqli_query($insert);

You can't make mysql queries onto a mysqli connection.

Answer 2

You have to see if your query is even being executed? what's the error that your query is returning? Try

mysqli_query($conn,$insert) or die(mysqli_error($conn));

That will tell you why there is no data. Good time you moved to MYSQLI or PDO

EDIT:

Also you are using a variable $l_name which has not been declared before. In your query it should be $s_name . Most probably your table is set to NOT accept blank value for l_name and that's where it fails

Answer 3

Try the following by changing the single and double quotes around:

$insert = "INSERT INTO UserAccount(email_address, password, f_name, s_name) 
VALUES('".$email_address."','".$password."','".$f_name."','".$l_name."')";

This is good practice! The page will be blank but at least you should get entry in the table.

Also check if the database name $db should be the same as the $usr ? Is this correct?

$db = $usr;

Shouldn't this be something like

$db = "databaseName";

Final thought:

There is a keyword variable transfer; that looks funny. Because of the setup of php error reporting/handling it might cause an error but not show/report it thus the blank page. Use echo at specific places in the code to see where it stops.

Should it be $transfer; and should it receive a variable?

The other thought is that if you have $_SESSION['conn'] there should be a session_start(); just after the opening <?php tag. This might all cause the conn.php to fail thus breaking the INSERT .

Answer 4

Don't ever use mysql_ functions this way! Seriously!

• You are risking SQL injection by using untreated data directly in your query
  • someone could formulate a malicious request that could expose, or corrupt your data
• mysql_* functions are deprecated as of PHP 5.5!
  • they are not supported anymore!

Solution:

• use prepared statements
• Use PDO
• or use mysqli consistently throughout the application (as others noted)

Of all these, I'd suggest going the PDO way:

try {
    //open connection, this is different than in the old functions
    $dbh = new PDO('mysql:host=localhost;dbname=test', $user, $pass);

    //***running query
    //**step1: create statement
    $stmt = $dbh->prepare('INSERT INTO UserAccount(email_address, password, f_name, s_name) 
    VALUES( :email, :password,:f_name,:l_name)'); //notice parameters prefixed with ':'

    //**step2: bind values (be sure to also check out the bindParameter() function too!)
    $stmt->bindValue(':email', $email_address);
    $stmt->bindValue(':password', $password);
    $stmt->bindValue(':f_name', $f_name);
    $stmt->bindValue(':l_name', $l_name);

    //**step3: exexcute statement
    $stmt->execute();

    $dbh = null;
} catch (PDOException $e) {
    print "Error!: " . $e->getMessage() . "<br/>";
    die();
}